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A Simple Example 



We begin by specifying a system that starts with x equal to 0 and keeps 
incrementing x by 1 forever. In a conventional programming language, this 
might be written 

initially x = 0 ; 

loop forever x := x + 1 end loop 

The TLA specification is a formula LI defined as follows, where the meaning 
of each conjunct is indicated by the comments. 

II = (x = 0) Initially, x equals 0. 

A 0[x' = x + l]x Always (□), the value of x in the next 

state (x') equals its value in the current 
state (x) plus 1. Ignore the subscript x 
for now. 

A WFjfi' = x + 1) Ignore this for now. 

As specifications get more complicated, we need better methods of writing 
formulas. We use lists of formulas bulleted with A and V to denote conjunc- 
tions and disjunctions, and we use indentation to eliminate parentheses. The 
definition of II can then be written as 

n = A x = 0 

A D[x' = x + l] x 
A WF,(i' = x + l) 

What a Formula Means 

A TLA formula is true or false on a behavior, which is a sequence of states, 
where a state is an assignment of values to variables. Formula LI is true on a 
behavior in which the i th state assigns the value i — 1 to x, for z = 1,2,.... 

Systems are real; behaviors are mathematical objects. To decide if a 
system S satisfies formula LI, we must first have a way of representing an 
execution of S as a behavior (a sequence of states). Given such a represen- 
tation, we say that system S satisfies formula LI (or that S implements the 
specification LI) iff (if and only if) LI is true for every behavior corresponding 
to a possible execution of S. 



1 



Another Example 



Next, we specify a system that starts with x and y both equal to 0 and re- 
peatedly increments x and y by 1. A step increments either x or y (but not 
both). The variables are incremented in arbitrary order, but each is incre- 
mented infinitely often. This system might be represented in a conventional 
programming language as 

initially x = 0, y = 0 ; 
cobegin 

loop forever x := x + 1 end loop || 
loop forever y := y + 1 end loop 
coend 

The TLA specification is the formula $, defined as follows. For convenience, 
we first define two formulas X and y, and then define $ in terms of X and y. 

X = A x' = x -\- 1 An X step is one that increments x 
A y' = y and leaves y unchanged. 

y = A y' = y + 1 A J step is one that increments y 
A x 1 = x and leaves x unchanged. 

$ = A (x = 0) A (y = 0) Initially, x and y equal 0. 

A □ [X V y] ( X)V } Every step is either an X step or a J 7 step. 

A WF( X)y }(X) A ~WF( XtV }(y) As explained later, this asserts that in- 
finitely many X and y steps occur. 

Formulas X and y are called actions. An action is true or false on a step, 
which is a pair of states — an old state, described by unprimed variables, and 
a new state, described by primed variables. 

Implementation and Stuttering 

We say that a specification (TLA formula) F implements a specification G 
iff every system that satisfies F also satisfies G. This is true if every behavior 
that satisfies F also satisfies G, which means that all behaviors satisfy the 
formula F =>■ G. A formula is said to be valid iff it is satisfied by all behaviors. 
("All behaviors" means all sequences of states, not just ones that represent 
the execution of some particular system.) So, F implements G if the formula 
F =>■ G is valid. Implementation is implication. 
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A system that repeatedly increments x and y repeatedly increments x. 
Therefore, specification $ should implement specification II. This means 
that every behavior satisfying $ should also satisfy II. Behaviors that satisfy 
$ allow steps that increment y and leave x unchanged. Therefore, II must 
allow steps that leave x unchanged. That's where the subscript x comes in. 
For any action (Boolean formula containing constants, variables and primed 
variables) A and every state function (expression containing only constants 
and unprimed variables) /, we define 

[As = Av(f' = f) 

where /' is the expression obtained by priming all the variables in /. Thus, 
a step satisfies [A]j iff it satisfies A or it leaves / unchanged. The formula 
□ [*4]/ asserts that every step is an A step (one that satisfies A) or leaves / 
unchanged. Hence, the conjunct D[x' = x + l] x of II does allow steps that 
leave x unchanged. Such steps are called stuttering steps. 

In mathematics, the formula x 2 = x + 1 is not an assertion about a 
universe just containing x; it is an assertion about a universe containing all 
possible variables, including x, y, and z. The formula x 2 = x + 1 simply 
doesn't say anything about y and z. Similarly, formula II is an assertion 
about sequences of states, where a state is an assignment of values to all 
variables, not just to x. Formula II specifies a system whose execution is 
described by the changes to x. But a behavior represents a history of some 
entire universe containing that system. To be a sensible specification, II 
must allow stuttering steps in which other parts of the universe change while 
x remains unchanged. 

Similarly, $ allows steps that leave the pair (x } y) unchanged, and there- 
fore leave both x and y unchanged. If we are just observing x and y, then 
there is no way to tell that such a step has occurred. 

Stuttering steps make it unnecessary to consider finite behaviors. An 
execution in which a system halts is represented by an infinite behavior in 
which the variables describing that system stop changing after a finite number 
of steps. When a system halts, it doesn't mean that the entire universe comes 
to an end. Thus, by a behavior, we mean an infinite sequence of states. 

Fairness 

Formula D[x' = x-\-l] x allows arbitrarily many steps that leave x unchanged. 
In fact, it is satisfied by a behavior in which x never changes. We want to 
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require that x be incremented infinitely many times, so our specification must 
rule out behaviors in which x is incremented only a finite number of times. 
This is accomplished by the WF formula, as we now explain. 

An action A is said to be enabled in a state s iff there exists some state t 
such that the pair of states (old-state s, new-state t) satisfies A. The formula 
WF/(*4) asserts of a behavior that, if the action A A (/' ^ f) ever becomes 
enabled and remains enabled forever, then infinitely many A A (/' ^ f) steps 
occur. In other words, if it ever becomes possible and remains forever possible 
to execute an A step that changes /, then infinitely many such steps must 
occur. 

Any integer can be incremented by I to produce a different integer. Hence, 
the action (x 1 = x-\-l)A(x' ^ x) is enabled in any state where x is an integer. 
The formula (x = 0) A □ [x 1 = x + 1]^, which asserts that x is initially 0 and 
in every step is either incremented by I or left unchanged, implies that x is 
always an integer. Hence, this formula implies that (x 1 = x + I) A (x 1 ^ x) 
is always enabled. Hence, the conjunct WF x (x' = x + I) of n asserts that 
infinitely many (x 1 = x + I) A (x 1 ^ x) steps occur. Hence, n asserts that x 
is incremented infinitely often, as desired. 

Similarly, (x = 0) A V y]( x , y ) implies that x is always an integer, 
so X A ((x } y)' ^ (x } y)) is always enabled. Hence, $ implies that x is in- 
cremented infinitely often. Every behavior satisfying $ does satisfy n, so 
$ =^ n is valid. 

WF stands for Weak Fairness. TLA specifications also use Strong Fair- 
ness formulas of the form SF/(*4), where / is a state function and A an 
action. This formula asserts that if A A (/' ^ f) is enabled infinitely often 
(in infinitely many states of the behavior), then infinitely many A A (/' ^ f) 
steps must occur. If an action ever becomes enabled forever, then it is enabled 
infinitely often. Hence, SF/(*4) implies WF/(*4); strong fairness implies weak 
fairness. 

The subscripts in WF and SF formulas (and in the formula □[A/']/) make 
it syntactically impossible to write a formula that can distinguish whether or 
not stuttering steps have occurred. In practice, whenever we write a formula 
of the form WF/(*4) or SF/(*4), action A will imply /' ^ /, so any A step 
changes /. 
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Hiding 

The formula 3 y : $ is satisfied by a behavior iff there is some sequence of 
values that can be assigned to y which would produce a behavior satisfying 
$. (This definition is only approximately correct; see [2] for the precise 
definition.) The temporal existential quantifier 3 y is the formal expression 
of what it means to "hide" the variable y in a specification. If we hide 
y in a specification asserting that x and y are repeatedly incremented, we 
get a specification asserting that x is repeatedly incremented. Thus, the 
specification obtained by hiding y in $ should be equivalent to II. Indeed, the 
formula 3 y : $ is equivalent to II. In other words, the formula (3 y : $) = II 
is valid. 

Composition 

Let X and y be the actions defined above, and let 

Tl x = ( I = 0)AD[4AWF H (,1f) 
n, 4 (y = 0)AD[^AWF M (3;) 

A simple calculation shows that, if x and y are integers, then [X] x A [y] y 
is equivalent to [At V y]( Xty ). It follows from this and the laws of temporal 
logic that H x A Tl y is equivalent to $. We can interpret Tl x and Tl y as the 
specifications of two processes, one repeatedly incrementing x and the other 
repeatedly incrementing y, in a program whose variables are x and y. Com- 
posing two such processes yields a program, with variables x and y, that 
repeatedly increments both x and y — the program specified by $. 

In general, a specification F of a system S describes the behaviors (repre- 
senting histories) of a universe in which S operates correctly. A specification 
G of a system T describes behaviors of the same universe in which T operates 
correctly. Composing S and T means ensuring that both S and T operate 
correctly in that universe. The behaviors of a universe in which both sys- 
tems operate correctly are described by the formula F A G. Composition is 
conjunction. 

Assumption/ Guarantee Specifications 

An assumption/guarantee specification asserts that a system operates cor- 
rectly if the environment does. Let M be a formula asserting that the sys- 
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tern does what we want it to, and let £ be a formula asserting that the 
environment does what it is supposed to. We would expect the assump- 
tion/guarantee specification to be E =>■ M, the formula asserting that either 
M is satisfied (the system behaved as desired) or E is not satisfied (the en- 
vironment did not behave correctly). However, we instead write the stronger 
specification E ^t> M, which asserts both that E implies M, and that no 
step can make M false unless E has already been made false. The precise 
meaning of the formula E -^t> M is given in [1]. 

All of TLA 

TLA is built on a logic of actions, which is a language for writing predi- 
cates, state functions, and actions, and a logic for reasoning about them. A 
predicate is a Boolean expression containing constants and variables; a state 
function is a nonBoolean expression containing constants and variables; and 
an action is a Boolean expression containing constants, variables, and primed 
variables. The complete specification language TLA + , described elsewhere, 
includes such a language. 

Syntactically, a TLA formula has one of the following forms: 

P a[A] f aF 3x : F 

->F FAG F y G F^G F = G 

WF,(.4) SF,(.4) F ±t> G OF F~^G 

where P is a predicate, / is a state function, A is an action, x is a variable, 
and F and G are TLA formulas. The last row of formulas can be expressed 
in terms of the others (and of course, all the Boolean operators can be de- 
fined from -i and A). The Boolean operators have their usual meanings; the 
meanings of the other operators are described below. 

P Satisfied by a behavior iff P is true for (the values assigned to vari- 

ables by) the initial state. 

□ [*4]/ Satisfied by a behavior iff every step satisfies A or leaves / un- 
changed. 

OF (F is always true.) Satisfied by a behavior iff F is true for all suffixes 
of the behavior. 
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3 x : F Satisfied by a behavior iff there are some values that can be assigned 
to x to produce a behavior satisfying F. (See [2] for the precise 
definition.) 

WFf(A) (Weak fairness of A) Satisfied by a behavior iff A A (/' ^ f) is 
infinitely often not enabled, or infinitely many A A (/' ^ f) steps 
occur. 

SF/(*4) (Strong fairness of A) Satisfied by a behavior iff A A (/' ^ f) is only 
finitely often enabled, or infinitely many A A (/' ^ f) steps occur. 

F -^t> G Is true for a behavior iff G is true for at least as long as F is. (See 
[1] for the precise definition.) 

OF (F is eventually true) Defined to be ->D-iF. 

F G (Whenever F is true, G will eventually become true) Defined to be 
D(F OG). 
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